Wasabi Protocol suffered a multi-chain exploit that drained more than $5 million from its derivatives vaults, according to findings from blockchain security firms including PeckShield and Blockaid.

The breach affected deployments on Ethereum, Base, Berachain, and Blast. Investigators traced the incident to a compromised admin key tied to the protocol’s deployer wallet, which allowed the attacker to take control of critical contract functions.

Compromised admin role enabled contract takeover

Blockaid reported that the attacker gained ADMIN_ROLE through the deployer address, which held exclusive control over Wasabi’s contract permissions. The attacker then granted privileges to a malicious contract and upgraded vault implementations to drain user funds.

The exploit did not rely on flaws in smart contract logic. Instead, it leveraged access control through a single externally owned account. This structure allowed immediate execution without delay mechanisms such as multisignature approval or timelocks.

Security researchers noted that the attacker used upgradeable proxy contracts to execute the drain. Funds from perpetual vaults and the LongPool were siphoned after unauthorized upgrades redirected balances.

Stolen assets consolidated and routed through Ethereum

Cyvers reported that the attacker extracted a mix of assets, including WETH, USDC, PEPE, MOG, ZYN, REKT, cbBTC, AERO, and VIRTUAL. A large portion of the losses came from WETH, with one transaction alone accounting for over $1.9 million.

After the exploit, the funds were converted into ETH, bridged to Ethereum where needed, and distributed across multiple addresses. Early traces indicated links to Tornado Cash, which has been used in previous incidents to obscure transaction flows.

Blockaid issued a warning that all liquidity provider tokens tied to affected vaults should be considered unsafe.

“All Wasabi/Spicy LP-share tokens minted by these vaults should be treated as COMPROMISED,” the firm stated.

Protocol and partners move to contain fallout

Wasabi Protocol acknowledged the incident and urged users to halt activity. “As a precaution, please do not interact with Wasabi contracts until further notice,” the team said in its public statement.

The exploit affected vault-based products that held user deposits across multiple chains. Prior to the breach, Wasabi’s total value locked stood at approximately $8.5 million, based on available on-chain data.

Virtuals Protocol, which integrates Wasabi infrastructure for margin deposits, suspended related functions after the incident. The team confirmed its own systems remained unaffected but froze deposits as a safeguard.

Users with exposure faced immediate risks tied to token approvals and vault positions. Security guidance included revoking permissions and avoiding any interaction with compromised contracts until further updates.

Incident reflects broader DeFi security challenges

The Wasabi exploit adds to a series of attacks that targeted decentralized finance platforms during the same period. Data shows more than $600 million in losses across over 25 protocols this month.

Several of those cases involved similar attack vectors, where privileged access or upgrade mechanisms provided a path to drain funds without triggering standard safeguards.

The Wasabi breach followed other incidents affecting smaller and mid-sized protocols, including losses reported at Aftermath Finance and bridge-related exploits on Base. These events occurred despite audits and existing security frameworks.

On-chain investigators also pointed to structural risks tied to centralized control points. In the Wasabi case, a single admin key controlled multiple chains and contracts. Once compromised, the attacker gained full authority across the system.

Early signals show evolving attack patterns

Researchers observed that the attacker used consistent tooling and contract patterns linked to earlier activity. Blockaid noted similarities in orchestrator contracts and strategy code, which suggests repeated targeting methods.

Separate commentary from developers raised questions about whether automated systems could assist in identifying vulnerable protocols. However, no confirmed attribution has been established in this case.

The Wasabi team has not yet released a full post-incident report. The deployer key linked to the breach remained active at the time of initial findings, which added urgency to mitigation efforts.

The event underscores how access control design can determine protocol resilience. Even audited systems remain exposed when administrative authority rests with a single key.

DeFi United rsETH Restoration Plan after $292M Exploit | HODL FM NEWS
DeFi United releases a plan to restore rsETH backing after a $292M exploit, detailing ETH recovery, liquidation steps, and governance-driven execution.
hodl-post-imageHODL FM News: The Wildest Ride in the Crypto MarketKristian Koch
hodl-post-image

Disclaimer: All materials on this site are for informational purposes only. None of the material should be interpreted as investment advice. Please note that, despite the nature of much of the material created and hosted on this website, HODL FM operates as a media and informational platform, not a provider of financial advisory services. The opinions of authors and other contributors are their own and should not be taken as financial advice. If you require advice, HODL FM strongly recommends contacting a qualified industry professional.